Computer Forensics

Most of the time, computer problems are relatively minor—at the worst, hard drive crashes result in lost data, including pictures, spreadsheets, and all-important client databases. Sometimes, though, data loss is more important.

I know, I know; it’s hard to imagine something more important than a complete list of your clients. However, forensic data recovery deals with legal concerns, such as litigation and criminal trials. If you find yourself needing forensic data recovery, be prepared to pay big for results.

Why would I need forensic data recovery? Why wouldn’t normal data recovery be just as good?

Forensic data recovery isn’t for everyone, obviously. If your home or business drive crashes and you need the data back without reconstructing it, a normal data recovery service is by all means precisely what you need.

If, however, you need data recovered from a drive, or if you need to find out if a drive has been illegitimately tampered with, forensic data recovery is the only way to ensure that any information gained through the recovery process will hold up in a court of law. A knowledgeable lawyer will cut down any evidence presented without a full chain of custody report, and you may even need an expert witness to testify.

Here’s a scenario: say one of your employees may have been selling sensitive secrets to a rival company. This violates his contract, and you are entitled to litigate. However, his email correspondence is the only way to prove that he’s been in negotiations with the rival company. If you use a standard data recovery service to retrieve his files, your only piece of evidence is dubious at best. If, however, you have your evidence complete with chain of custody reports and an explanation of what had to be done to retrieve the data, then you’re on top of a much stronger case. Even if the data isn’t recoverable, a forensic data recovery lab can prove that your employee purposely destroyed his email, enough to end a case in many situations. With a standard data recovery, this information may not be given to you, at least not in a legally usable form.

What is chain of custody?

Chain of custody reports let you know every set of hands that touches your drive from the moment it arrives at a forensic data recovery lab. These are legally necessary. They also ensure that the engineers working on your recovery are not able to spread information regarding your data, which may potentially damage your case; in addition to chain of custody reports, you should always ask for a nondisclosure agreement. Nearly all forensic labs have all of their engineers working under a standard nondisclosure agreement, which is great, but you’ll need a written copy for your lawyer.

How should I pick a forensic data recovery company?

First of all, you should immediately speak to your lawyer regarding your decision to pursue forensic recovery. He or she may even prefer to be the company’s main contact; they can speak legalese while you deal with other matters. Your lawyer will know what you need from a forensic data recovery company, and may even have one in mind. Any company that you consider should have a recent history of forensics cases, preferably a specific data recovery engineer that you can speak with directly. It’s preferable that your case be handled by as few engineers as possible.

Likewise, if you need an expert witness, he should have worked with many cases before yours. Ask for a number. You don’t need someone inexperienced. Don’t consider cost. If you really need forensic data recovery or an expert witness, you need to win your case, and you will invariably pay. $400 an hour is not uncommon, as well as a sizable retainer. An expert witness will likely ask for travel expenses as a separate cost, unless that witness happens to live near the city where the trial is taking place.

Make sure that your forensics team doesn’t rely on one piece of software—programs such as Encase©, SafeBack©, and Data Dumper are commonly used in the industry, but shouldn’t be a forensics team’s only source of information. This can be especially troublesome if it becomes apparent that your expert witness utilized only one method to recover your biggest piece of evidence.

How does a computer forensics company recover data?

Most of the time, forensics cases don’t involve physically damaged drives, but rather drives with deleted files or the like. Your forensics company will make a clone of the drive, and then work on that clone for the remainder of the process; this ensures that there is no chance of losing any information from your original drive. Using a large number of programs, the company will analyze key files created by the operating system to reconstruct what a person used the computer to do. They can also undelete files in many situations if the hard drive used Windows formatting, retrieving key pieces of evidence such as emails or Microsoft Office documents. This is because files deleted in Windows aren’t actually destroyed; the operating system merely marks these files as deleted and allows them to be overwritten. Other operating systems, in contrast, may overwrite the files immediately when the user selects them for deletion. Once a file has been overwritten, it is usually irretrievable, but since most users don’t realize what needs to be done to permanently destroy a file, it is fairly common for files deleted in Windows to be retrieved unscathed.

If a file is deleted and overwritten, the operating system will make a note to that effect, and a computer forensics team can find this information for your case. For this reason, even successful deletes can yield positive legal results. It is extremely hard to beat a computer forensics company at their own game.

What else can be recovered?

Don’t underestimate your forensics company. They should be able to let you know extremely specific information, such as the exact time someone logged in or out of a computer, what websites were visited, when the user opened programs, and what programs were accessed frequently. They may even be able to reconstruct documents printed by the computer or find filenames and extensions that had been changed by the user.

You need to think about what you need to prove, and let the engineers know. They’re under nondisclosure agreements, and you should fully confide any relevant information with them. Avoid giving these details to any other representative of the company, however.

With a good computer forensics company, your case stands a much better chance of being successful. Be sure to communicate with your lawyer and the engineers working on your case, and with a little help you can quickly receive the information you need.

External Links:

• Security Focus - An article going further in depth about some techniques used.
• ESS Data Recovery - Company providing forensic and expert witness services.